Improve the documentation for CIFS shares.

[auralsun]

This isn't so much a feature request as it is a plea for FreeNAS' development team to make FreeNAS more usable by improving the documentation.

I have a background in systems administration and have been attempting unsuccessfully to configure a CIFS share according to my specifications (all users have access to common files, and each user has exclusive access to their user folder) for about 12 hours. You can read about my adventures here.

FreeNAS.org has a "For Home" section where you sell FreeNAS appliances to home users, and honestly it seems ludicrous to expect the average home user to successfully configure FreeNAS on their home network given the current state of CIFS documentation.

I have two suggestions:

Improve tooltip descriptions: many of the tooltip descriptions are vague at best, and a lot of advanced / non-intuitive options have no tooltips whatsoever. For example, the "Apply default permissions" tooltip says "recursively set sane default windows permissions on share". The way this is phrased makes it seem like a no-brainer option to check, but the web documentation is much more clear: "sets the ACLs to allow read/write for owner/group and read-only for others; should only be unchecked when creating a share on a system that already has custom ACLs set." I'm currently ignoring the tooltips because following along with the web documentation seems to be the only way to get detailed information about what each option is actually doing.

Establish and maintain a few possible share configurations for each share type: permissions for home NAS devices shouldn't be that complicated -- there are only a few configurations users are likely to opt for, most of which are described in this tutorial (which no longer works with the current FreeNAS version). From what I can see, it seems that forum users have been doing this for ages -- the problem is that the tutorials are not picked up and maintained as part of the FreeNAS documentation.

I've all but given up at this point as even the official documentation points to a broken link for the share configuration I'm trying to achieve (Set Permission to allow users to share a common folder & have private personal folder).

 

[dlavigne]

The wizard in the upcoming 9.3 version should resolve most of these issues. Believe me, the 9.2.1.x series was painful wrt CIFS, and this is being addressed for 9.3.

 

[cyberjock]

auralsun,

I totally agree with you. Unlike Dru's opinion, I don't think it's going to help with some of the problems you are having. The documentation does *badly* need to be corrected though. And in my opinion resources should be devoted to fixing the documentation before 9.3. I personally don't feel that waiting for 9.3 to fix the manual is a suitable alternative, especially when October is the "best case scenario" for 9.3 being released.

Permissions are a major problem for many people. The main reason, in a nutshell, is that ZFS uses NFSv4 permissions while FreeBSD uses unix permissions and CIFS/AFP use ACLs. There is a "flowchart" for mixing and matching them, but they are *not* truly compatible with each other. You kind of have to "pick one and go with it" and with some trickery you *can* manage to use unix and ACLs simultaneously. But, to prevent corruption of ACLs, unix permissions are often blocked because they would corrupt the ACLs. It's something I've written in my partial permissions guide, but God only knows when I'll get to finish it. I've talked to the developer that handles permissions on FreeNAS and he has told me several times that permissions aren't going to change significantly in the future unless there's some secret feature that isn't documented anywhere that makes all of this work better. :/

 

[auralsun]

dlavigne,

Thanks. Do either of the 9.3 ALPHA / BETA versions include the wizard you're referring to, or should I wait for the RELEASE version?

 

[auralsun]

cyberjock,

I'm not familiar enough with FreeNAS' development roadmap to comment on the 9.3 wizard one way or another, but I sincerely hope that measures are taken to make FreeNAS share permissions more intuitive. I think that even among FreeNAS' tech-savvy users, you're going to be hard-pressed to find many people experienced with the three permission types you mentioned.

From my research, it seems that FreeNAS is the most reliable freeware NAS solution available. I'm currently using a ghetto Windows NAS running RAID1 with very limited disk protection features in comparison to what FreeNAS provides and want to switch to a more stable solution as soon as possible. Another friend recommended unRAID, but I spec'd my build specifically for FreeNAS with 16gb of ECC ram and server-grade hardware that would honestly be overkill in an unRAID build. So, I really want to use FreeNAS, but I'll be damned if I can ever get it set up on my home network.

I suspect that the demand for FreeNAS will increase over time for home users -- so it's a shame permissions are so frustrating to figure out in FreeNAS' current state.

 

[panz]

All my FreeNAS installations are working like a charm with CIFS: a little-big trick is to disable the Home Group in all the Windows 7 computers.

 

[auralsun]

panz,

Did you follow any particular guide to get your CIFS share up and running?

Home Group is enabled on my network -- I'll shut it off and give it another shot soon. Haven't heard that one before, thanks!

 

[esamett]

Would it be reasonable for 9.3 to offer a couple of configuration options for WinACL, other than just the "sanity" option? A full_permissions options for all would be very helpful for home users like myself who have a poor understanding of the proper use of permissions.

 

[panz]

panz,

Did you follow any particular guide to get your CIFS share up and running?

Home Group is enabled on my network -- I'll shut it off and give it another shot soon. Haven't heard that one before, thanks!

No, I didn't follow any guide, only my experience, keeping in mind that "simple is better" :)

So, two fundamentals are: if your Windows workstations have the workgroup set to WORKGROUP, I setup WORKGROUP in Network Settings -> Global Configuration -> Domain of the FreeNAS' GUI.

Then - in a fresh FreeNAS installation - I always start by creating a Group (let's call it INTRANET) : this is the SAME NAME as the group my -even single - Windows user is in. So, if my user on the Windows machine is panz and the Group in the Windows machine is INTRANET, the same must be on the FreNAS machine.

After the creation of the group INTRANET on the FreeNAS machine I create the user "panz" : this user has its own group (created automatically by FreeBSD). You have to put this user in the INTRANET Group by adding the user - during its creation - to the INTRANET group: you find it at the bottom of the box when you crate the user. Simply choose the group then click onto the right arrow to add the user to the selected group.

IMPORTANT: the user panz on FreeNAS MUST have the SAME PASSWORD as the user panz on Windows 7!

Then, and ONLY THEN, I create the datasets.

During dataset creation I select the Windows ACLs permissions type. Click ok.

Then I come back to that dataset's "edit permissions" and set the user to panz and the group to INTRANET.

DO NOT check any recursive option!

Now we're ready to share something. Let's go to CIFS sharing and share the dataset we've just created. I always keep consistency with names, so if I'm sharing the "documents" dataset, the name of the share will be "documents".

Just point the path to /mnt/poolname/documents and you're done. I don't touch any other option.

 

[Ericloewe]

No, I didn't follow any guide, only my experience, keeping in mind that "simple is better" :)

So, two fundamentals are: if your Windows workstations have the workgroup set to WORKGROUP, I setup WORKGROUP in Network Settings -> Global Configuration -> Domain of the FreeNAS' GUI.

Then - in a fresh FreeNAS installation - I always start by creating a Group (let's call it INTRANET) : this is the SAME NAME as the group my -even single - Windows user is in. So, if my user on the Windows machine is panz and the Group in the Windows machine is INTRANET, the same must be on the FreNAS machine.

After the creation of the group INTRANET on the FreeNAS machine I create the user "panz" : this user has its own group (created automatically by FreeBSD). You have to put this user in the INTRANET Group by adding the user - during its creation - to the INTRANET group: you find it at the bottom of the box when you crate the user. Simply choose the group then click onto the right arrow to add the user to the selected group.

IMPORTANT: the user panz on FreeNAS MUST have the SAME PASSWORD as the user panz on Windows 7!

Then, and ONLY THEN, I create the datasets.

During dataset creation I select the Windows ACLs permissions type. Click ok.

Then I come back to that dataset's "edit permissions" and set the user to panz and the group to INTRANET.

DO NOT check any recursive option!

Now we're ready to share something. Let's go to CIFS sharing and share the dataset we've just created. I always keep consistency with names, so if I'm sharing the "documents" dataset, the name of the share will be "documents".

Just point the path to /mnt/poolname/documents and you're done. I don't touch any other option.

Just a small note: The passwords do not have to match. If they're different (or no such username exists), Windows will prompt for a Username/Password combination and optionally memorize it.

 

[panz]

This throws out an error if Windows 7 has the Home Group set. Samba is a mess with permissions.

 

[Ericloewe]

This throws out an error if Windows 7 has the Home Group set. Samba is a mess with permissions.

Works fine in my case, regardless of Homegroup being active.

 

[panz]

It works because you have less "restricted" ACLs on the Windows side. But, if you have granular permissions it will not work.

 

[RiBeneke]

I too would welcome some resource where I can learn how to set up permissions.

We have a FreeNAS 9.2.1.6 using CIFS on a network that had WinXP and Win7 PCs with 4 or 5 users on a Workgroup..
We also use DHCP on pfSense as master browser (and firewall).
The permissions for 4 shares on FreeNAS were set up at multiple folder levels using Unix permissions some years ago and it worked well.

Then along came the FreeNAS 9.2.x.x releases with SMB advancements and things stopped working properly.
I think the permissions change in SMB2.1 or SMB3 caught many people by surprise.
In the last few days we have upgraded the WinXP to Win7 and have unthinkingly allowed Windows to set up Homegroup (as distinct from Workgroup).
Instead of an upgraded system we now have a mess to navigate and I am struggling to find useful advice.

We have file ownership being taken by SID 5-1-21-xxx (which may represent the pseudo HomeGroupUser$ account created by Windows, but im not sure).
We have pages of unexplained FreeNAS log messages : sam_rids_to_names: possible deadlock - trying to lookup SID S-1-5-21-xxx.
We have /var log files that overflow on FreeNAS and the only solution I understand is to reboot once a day.
We have users who open files and are not allowed to save them again.
The Windows permission dialogue makes no sense to me as our current users are not listed, only "Everyone" and "S-1-5-21-xxx", so I have not yet managed to set up ACLs.
Windows Homegroup has taken over as network master browser and I cant find where to change that.

I am not wanting to blame anyone or rant.
Part of our problem is the hybrid of various systems.
I just wish I knew where to look for guidance to straighten the mess.
The FreeNAS 9.2.1.6 errata doc started to point me in the right direction.
Any advances on this user information would be most welcome.

 

[RiBeneke]

Some things I have learned that may be of use to others :
Disable Windows Homegroups in Windows Services, turn off password protected sharing and enable 'Users and passwords' instead of 'Windows manage ..'

It seems there is some mapping required between the users we have set up on FreeNAS and the users on various Windows machines.
The ArcStorage NAS system has an interface to set this up. Maybe it should happen automatically under the hood in FreeNAS, maybe ours is messed up and I dont know how to reach it to fix ??